Merge pull request #40 from mastahyeti/better_origin_checking

Consider basic auth creds in isSameOrigin
josh · Dec 10, 2014 · 9e2b51c · 9e2b51c
2 parents 560d412 + ee92b37
commit 9e2b51c
Show file tree

Hide file tree

Showing 2 changed files with 14 additions and 2 deletions.
diff --git a/csrf.coffee b/csrf.coffee
@@ -64,5 +64,4 @@ $(document).on 'submit:prepare', 'form', ->
 isSameOrigin = (url) ->
   a = document.createElement 'a'
   a.href = url
-  origin = a.href.split('/', 3).join "/"
-  location.href.indexOf(origin) is 0
+  "#{location.protocol}//#{location.host}" == "#{a.protocol}//#{a.host}"
diff --git a/test/unit/csrf.coffee b/test/unit/csrf.coffee
@@ -80,6 +80,19 @@ each frameworks, (framework) ->
 
     form.submit()
 
+  asyncTest "adds X-CSRF-Token to POST forms when URL contains basic auth credentials", ->
+    token = "2705a83a5a0659cce34583972637eda5"
+    @$("<meta content=authenticity_token name=csrf-param>").appendTo('body')
+    @$("<meta name=csrf-token content=#{token}>").appendTo('body')
+
+    form = @$("<form action='#{@window.location.protocol}//username:password@#{@window.location.host}/echo?iframe=1&callback=formSubmitted' method=POST></form>").appendTo('body')
+
+    window.formSubmitted = (data) ->
+      equal token, data.params['authenticity_token']
+      start()
+
+    form.submit()
+
   asyncTest "doesn't add X-CSRF-Token to GET forms", ->
     token = "2705a83a5a0659cce34583972637eda5"
     @$("<meta content=authenticity_token name=csrf-param>").appendTo('body')